CGI::Session Multiple Information Disclosure Vulnerabilities
BID:17099
Info
CGI::Session Multiple Information Disclosure Vulnerabilities
| Bugtraq ID: | 17099 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 14 2006 12:00AM |
| Updated: | Mar 16 2006 06:25AM |
| Credit: | Joey Hess is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
Sherzod Ruzmetov CGI::Session 4.03 |
| Not Vulnerable: | |
Discussion
CGI::Session Multiple Information Disclosure Vulnerabilities
CGI::Session is prone to multiple information-disclosure vulnerabilities. These issues are due to a failure in the application to properly set file permissions.
An attacker can exploit these issues to retrieve the session data of an arbitrary user.
If an attacker can retrieve an administrative user's credentials, the attacker may then compromise the affected application. Other attacks are also possible.
CGI::Session is prone to multiple information-disclosure vulnerabilities. These issues are due to a failure in the application to properly set file permissions.
An attacker can exploit these issues to retrieve the session data of an arbitrary user.
If an attacker can retrieve an administrative user's credentials, the attacker may then compromise the affected application. Other attacks are also possible.
Exploit / POC
CGI::Session Multiple Information Disclosure Vulnerabilities
These issues can be exploited through use of a web client.
These issues can be exploited through use of a web client.
Solution / Fix
CGI::Session Multiple Information Disclosure Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
References
CGI::Session Multiple Information Disclosure Vulnerabilities
References:
References:
- CGI::Session - persistent session data in CGI applications (Sherzod Ruzmetov )
- Debian Bug report logs - #356555 (Debian Bug Tracking System)